SCIM Directory Integration - OneLogin

By Ryan Cleary

Configure a SCIM user directory integration with OneLogin

Before You Begin

  • Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji tenant. You will need to obtain the SCIM access token and API URL.
  • Copy and store the token provided as outlined in the SCIM Directory Integration article. The token will not be visible once you click Done and will be required in a later step.
  • Be sure to review the supported user and group attributes listed in the SCIM Directory Integration.

Create the SCIM Integration in OneLogin

  1. Log into your OneLogin admin console. (example:
  2. In the top navigation, hover over Applications.
  3. Click Applications in the drop-down menu.
  4. Near the top-right, click Add App.
  5. In the text field, enter SCIM Provisioner.
  6. Click on SCIM Provisioner with SAML (SCIM v2 Enterprise).

Configure SCIM settings

Once in the SCIM Provisioner with SAML (SCIM v2 Enterprise) application, use the following steps to configure the SCIM settings. The following steps include provisioning users and groups (roles).


  1. (optional) Update the app Display Name to something like Kandji SCIM Provisioner
  2. (optional) Choose whether to make the app visible in the OneLogin portal.
  3. (optional) Add an icon.
  4. (optional) Add a description.
  5. After completing the basic configuration, click Save.


  1. Navigate to the Parameters page.
  2. Click the add (+) button on the right
  3. Enter email.value into the Field name.
  4. Click Save.
  5. Click on the email.value Parameter and set the value to Email.
  6. Click Save.


  1. Navigate to the Configuration page.
  2. In the SCIM Base URL field, paste the Kandji SCIM URL from the integration created earlier using the SCIM Directory Integration support article. (Example:
  3. In the SCIM Bearer Token field, paste the token that you copied when creating the Integration Kandji.
  4. Click Enable to turn on the API Connection.
  5. Click Save.


  1. Go to the Provisioning page.
  2. Select the box to Enable provisioning.
  3. Uncheck the boxes next to Create user, Delete user, and Update user.
  4. For the option When users are deleted in OneLogin, or the user's app access is removed..., choose Delete.
  5. For the option When user accounts are suspended in OneLogin..., choose Suspend.
  6. Now, in the top-right, click Save to keep the initial configuration.

Provision Users and Roles (Kandji groups) to Kandji

Use the following steps to send users and OneLogin roles to Kandji via the SCIM integration.

OneLogin roles are synonymous to groups in Kandji, and are assigned to the SCIM configuration. When users are assinged to roles in OneLogin, they are then pushed to Kandji. Additionally, any roles assigned to the the SCIM app are pushed to Kandji as groups.

Creating a role

  1. In the top navigation, hover over Users.
  2. In the dropdown menu, click Roles.
  3. Click New Role.
  4. Give the Role a name.
  5. Select the apps that should be assigned to the role. In this case, we selected the SCIM app.
  6. Click Save.

Assigning users to the role

  1. Click back into the role that was just created.
  2. Click Users.
  3. Under Users Added Automatically, click New Mapping.
  4. Give the Mapping a name.

  5. Create the conditions that meet your needs. For this example, we choose Group membership as the criteria, but you can use other criteria like department.

    OneLogin only allows a user to be member of one group, so you can think of OneLogin groups like an attribute that describes the user similar to department or location. Use OneLogin roles, if a user needs to be a member of more than one "group".

  6. Under Actions, choose the role that should be applied.

  7. Click Save.

  8. For more information on Group provisioning, please see OneLogin's documentation here.

If desired, users can also be added to the SCIM apps manually from each user's record.

Adding a rule to the SCIM app

Use the steps below to push one or more roles (Kandji groups) to Kandji in the OneLogin SCIM app.

  1. In the SCIM app, click Rules.
  2. Click Add Rule.
  3. Give the rule a name.
  4. Under Actions, choose Set Groups in from the first drop down.
  5. Select Map from OneLogin.
  6. In the For each field, choose role from the dropdown.
  7. In the with value that matches field, enter the SCIM Role to push to Kandji as a group.
  8. Click Save.

Pushing updates

Syncing User and group syncing is one-way, meaning the SCIM app will send user information to Kandji only when there is new or updated information to be sent. For this reason, a "Sync Now" option is not needed in the Kandji web app.

If the SCIM app is updated in OneLogin, you will need to save the change and then use the Reapply entitlement mappings.

  1. Hover over the More Actions menu.
  2. Click on the Reapply entitlement mappings option.